MAS-CSO-FLOMUSTAll frameworksImplementation guide coming soon

Information Flows and Security Categories

Minimum Assessment Scope (MAS) · General Provider Responsibilities

Applies to: Providers

Who this applies to: Providers
Service class: All service classes
Force: MUST
Timeframe: No fixed timeframe

Reviewed implementation guidance for MAS-CSO-FLO is not published yet. The official source below remains complete and authoritative.

Official FedRAMP source

Verbatim from FedRAMP/rules

Providers MUST clearly identify, document, and explain information flows and security categories for ALL information resources or sets of information resources in the cloud service offering.

Defined terms in this requirement

Cloud Service Offering Handle Information Resource Provider Security Category Third-Party Information Resource

Notes

Information resources (including third-party information resources) MAY vary by security category as appropriate to the type of information handled by or impacted by the information resource.

Change history

2026-05-04Initial reset for the Consolidated Rules for 2026 Public Preview.

Content provenance

Official requirement text is sourced from FedRAMP/rules . Boundera implementation guidance has not been fully reviewed for this item.